Post on 09-May-2018
Unlocking the value of Internal Audit
Presenter : Everton Ferguson, Senior Manager Advisory Services
| Page 1© 2011 EYGM LimitedAll Rights Reserved
What is Internal Audit ?
“Internal auditing is an independent, objective assurance and consultingactivity designed to add value and improve an organization’s operations. Ithelps an organization accomplish its objectives by bringing a systematic,disciplined approach to evaluate and improve the effectiveness of riskmanagement, control and governance process.”
| Page 2© 2011 EYGM LimitedAll Rights Reserved
What is a risk ?
A risk is the threat that an event, an action or the absence of action couldimpact:
• The achievement of objectives (of the group or individual management)
• The value of the group’s assets (tangible and intangible),
• Compliance with rules and regulations
| Page 3© 2011 EYGM LimitedAll Rights Reserved
What is Enterprise Risk management (ERM)?
An organization’s competency to manage uncertainty, more effectively minimizing threats and maximizing opportunities.
ERM is characterized by systematic management practices to assess and monitor risks, and improve the way that risk is managed, supported and enabled by the appropriate risk management framework.
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO).
| Page 4© 2011 EYGM LimitedAll Rights Reserved
What are Internal Controls ?
The dynamic, integrated processes, effected by an organization’s board of directors (or equivalent), management and all other staff, that are designed to provide reasonable assurance regarding the achievement of objectives in the following general categories:
1. Effectiveness and efficiency of operations
2. Reliability of financial and management reporting
3. Compliance with applicable laws, regulations and internal policies.
| Page 5© 2011 EYGM LimitedAll Rights Reserved
Business performance benefits from risk management
Companies with more mature risk management are leveraging risk management to create a more robust and vital organization • An Aon survey indicated 79% of organizations with advanced stages of risk management
maturity were very or moderately successful in protecting and enhancing shareholder value
• In the same survey, 79% of organizations with advanced risk management maturity were very or moderately successful in facilitating change
Companies with strong risk management attract increased investor funds and share price premiums• An Ernst & Young survey indicated that 82% of investors will pay a premium for
companies that demonstrate successful risk management• In the same survey, 61% of investors will avoid investing if risk management is deemed
insufficient
| Page 6© 2011 EYGM LimitedAll Rights Reserved
Business performance benefits from risk management
If done well, risk management can create competitive advantage
Companies with sound risk management were more effective in navigating the recent financial crisis• A Marsh survey indicates that companies with strategic views of risk management are
twice as likely as traditional companies to believe that their risk management systems helped them navigate the financial crisis
Companies with strong risk management are likely to have better credit ratings• S&P now rates companies on risk management as part of their credit ratings
• In Marsh’s survey, 23% of respondents who indicated their company has made changes in risk management indicated a key driver behind those changes has been the increased focus by rating agencies like S&P
| Page 7© 2011 EYGM LimitedAll Rights Reserved
Insights on Internal Audit
96% of companies believe strong risk management has a positive impact on their long-term earnings performance
94% of companies believe that their Internal Audit function has an important role in their overall risk management efforts
94% of companies have been asked to improve their risk coverage through Internal Audit
77% of companies have been asked to improve Internal Audit with the same or reduced cost/budget
Source – Ernst & Young Risk Survey conducted in 2010 with Global Audit Committee Members, CEOs and CFOs
| Page 8© 2011 EYGM LimitedAll Rights Reserved
Insights on Internal Audit
44% of companies believe Internal Audit helps their organization achieve its business objectives
38% of organizations believe their Internal Audit function is consistently strong across all geographic locations
37% of organizations involve Internal Audit in key business decisions and strategy
32% of organizations believe their Internal Audit function attracts future leaders and high-potential talent from within the business
Source – Ernst & Young Risk Survey conducted in 2010 with Global Audit Committee Members, CEOs and CFOs
| Page 9© 2011 EYGM LimitedAll Rights Reserved
Insights on Internal Audit
Source – Ernst & Young Risk Survey conducted in 2010 with Global Audit Committee Members, CEOs and CFOs
74 % of organizations believe there is a need
to improve their Internal Audit
function
Of these organizations, 96% of
companies believe they should make
improvements within the next 24 months
77% of organizationsconsider co-sourcing viable, 66% consider outsourcing viable
51% of companies would
consider outsourcing all or
part of their IA organization
for a cost savings of 20%
| Page 10© 2011 EYGM LimitedAll Rights Reserved
What are executives asking?
“Is my Internal Audit function contributing to key business objectives?”
“How do I know I am getting value from my Internal Audit function?”
Should my Internal Audit function be responsible to help add value and improve my business?”
“Does my Internal Audit function have the right skills in the right places?”
“How can Internal Audit help to get better risk coverage for less cost?”
“Does my Internal Audit function understand their key stakeholder expectations?”
Shareholder confidence Operational agility
Emerging markets/customer reachCost competitiveness
| Page 11© 2011 EYGM LimitedAll Rights Reserved
Questions You Should Ask About Your Company’s IA Function
• What is the role of our IA function?
• How much of our company's risk is covered by our IA function?
• Does the function add value to the business?
• Do we have the right leadership for IA?
• Do we have the right IA people?
• How do we focus and motivate our IA professionals?
• How do we maintain consistent quality?
| Page 12© 2011 EYGM LimitedAll Rights Reserved
Questions You Should Ask About Your Company’s IA Function
• Does our IA function use the right tools to deliver value?
• How do we know if we are continuing to get what we want
• Are we investing enough?
• Do I know I have an effective Internal Audit function based on objective performance and cost benchmarks?
• What does Internal Audit do to help increase the competiveness of my business?
| Page 13© 2011 EYGM LimitedAll Rights Reserved
Linking business performance to Internal Audit
Internal Audit enables improvement to business performance
Implications for Internal Audit Focus on high risk areas while driving value and
reducing costs Value Charter
+ =Stakeholder expectations
Business objectives/Business value agenda
Internal Audit enabled business performance
Governance and risk management
Internal Audit capabilities
Mandate: Alignment with stakeholder expectations and support of business objectives
People: Highly skilled and experienced people
Methods: Dynamic approach Technology enablement: Advanced tools and techniques
Coordination with all other risk and assurance activities
| Page 14© 2011 EYGM LimitedAll Rights Reserved
Unlocking the value of Internal AuditAligning Internal Audit with business objectives
Risk Value
Cost
Example value objectives•Improve overall skills and personnel in the Internal Audit function
•Increase business performance capabilities
•Improve results on major change programs
•Advise on entering new markets
•Benchmark against peer organizations
Example risk objectives•Improve risk assessment•Enhance coverage of key and emerging risks
•Improve coordination with other risk functions
•Improve overall control awareness and control behavior
Example cost objectives•Improve efficiency and effectiveness of the control environment
•Leverage technology to reduce Internal Audit costs
•Improve staffing flexibility to manage through peak/trough capacity demands
| Page 15© 2011 EYGM LimitedAll Rights Reserved
What if internal audit was addressing stakeholder needs?
• A highly effective Internal Audit function has the following traits• Reliable assurance
• Covering the entire spectrum of governance, risk management and internal control
• Able to deliver a reliable EGRC appraisal in real time• Highly efficient• Quick to the answer
• Fast and flexible• Rapid escalation, improvement• Cost effective
• Improvement orientation• Facilitator of improved risk management and control
across the firm• Rapid problem diagnosis• Setting the standards and stretching firm performance• Anticipate issues: fewer ‘unknowns’• Known problems getting fixed – and if not, why not?• Sharing of best practices
A highly effective audit function has a notable impact on the business as a result of delivering on the main characteristics illustrated.
Non-negotiable
Value gap
Highly efficient
Improvement orientation
Reliable assurance
The ‘value gap’ represents the opportunity for long term
improvement
| Page 16© 2011 EYGM LimitedAll Rights Reserved
What if internal audit was a valued business advisor?
Strategic and Valued AdvisorInternal audit function serves as a subject matter specialist to business management around strategic initiatives, challenges and changes in the organization. The function has the people, knowledge and experiences to effectively provide this level of service.
Business InsightIn addition to covering the “basics”, the internal audit function is designed to provide high quality, relevant business insight as an integral part of its activities. Business insight is not a by-product, but an explicit outcome from the function’s activities.
Control and Compliance Monitoring StructureInternal Audit function focused on evaluating the design and the effectiveness of internal controls in those areas outlined in their charter or mandate. Also includes focusing on compliance with key regulations and policies.Non-negotiable
Audit committee and management expectations
Company initiatives and business initiatives
Mandate for internal audit
| Page 17© 2011 EYGM LimitedAll Rights Reserved
Business insightsControl and
compliance
What if the gaps were closed?
Competency gap• Rotational resource model• Lack of scale to adequately staff certain areas
• IT, international, treasury, taxes, supply chain• Fraud prevention and detection
• Audit activity = available resources• Traditional role of internal audit function limits scope• Alignment with strategic plan and initiatives to support• Industry/competitive insight
Enablement gap• Traditional risk assessment and audit planning approach• Not driven by business risk• Heavy focus on auditable units and locations• Limited use of data analysis and modeling• Limited training and development• Lack of effective prioritization• Unwillingness to change• Not focused on key business process improvements
Critical areasNon-negotiable Business relevance
Enablement gap
Transformation gap
Strategic and valued advisor
The transformation gap keeps many IA functions from becoming a strategic and valued advisor to executive management and their boards of directors. Targeting approaches that help fill the gap will allow for enhanced performance.
Competency gap
Filling in the gaps can help improve IA performance and client service.
| Page 18© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• The role of internal audit has never been more important. Internal audit must keep up with the increased scope of responsibilities and help to identify vulnerabilities to unknown or unacceptable levels of risks.
• Audit planning that is based on the results of strategy- based risk assessment allows internal audit to execute a plan that is focused on the most important business risks-strategic, operational, financial, and compliance – across the organization.
Are internal audit functions identifying all of the key risks that could have a significant impact on the business?
| Page 19© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• Many organizations do not believe that their internal audit functions have the necessary funding to help management effectively evaluate and monitor key business risks.
• The institute of Internal Auditors (IIA) fully supports a strong role for internal audit in managing organization–wide risk. IIA Standard 2010 states that internal audit should conduct an annual, or more frequent, risk assessment to serve as the basis for planning audit engagements.
• A formal, strategy-based, entity-level risk assessment by internal audit can help to advance significantly the organization’s ability to understand its key business risks and, if done correctly, can become an integral part of management’s risk assessment process.
Does internal audit have the budget to cover all key business risk effectively?
| Page 20© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
The role of internal audit includes assisting management in identifying, prioritizing, reviewing, and monitoring risks. The first step is an effective risk assessment process.
Questions that internal audit should ask to evaluate management’s current risk assessment process include:• Does management currently conduct a risk assessment?• Is the risk assessment process aligned with the organization’s
strategies?• Does it address all key business risks across the organization? • Are the appropriate stakeholders engaged in the process?• What does management do with the results of the risk assessment?
Is internal audit effectively monitoring the top risks facing the organization?
| Page 21© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• Some leading internal audit functions use industry-sector specific risk models and other external data to identify key business risks.
• Industry-sector risk models are available through various sources, including professional service providers.
Does internal audit have access to the right knowledge and technology tools to effectively identify, assess, and prioritize the key business risks of the organization?
| Page 22© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
When evaluating the options, careful consideration should be given to understanding:
• Whether the risk data is truly industry or sector specific
• If the data highlights strategic and external risks
• How the data is gathered
• How often the data is updated.
Does internal audit have access to the right knowledge and technology tools to effectively identify, assess, and prioritize the key business risks of the organization? Continued
| Page 23© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• The purpose of an audit plan is to provide detail on the audits to be performed, timing and assignment of teams with the requisite skill sets.
• The strategy-based, entity-level risk assessment provides the basis for developing an audit plan that is risk-focused and flexible enough to meet the needs of the organization’s rapidly changing business environment.
Does internal audit have adequate resources and the right skill set to help managementAddress the top risk areas of the organization and execute the audit plan?
| Page 24© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• Leading internal audit functions view the audit plan as a living, changing collection of risks and or control audits that are aligned with business activities and support management’s effort to implement organizational strategies successfully.
• An audit plan that fails to keep pace with these changes allows significant business risks to emerge and not be addressed.
Does internal audit have adequate resources and the right skill set to help managementAddress the top risk areas of the organization and execute the audit plan?
| Page 25© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
The key steps to developing a risk-focused audit plan are:• Mapping the key business risks to the auditable entities
• Developing an audit plan that addresses the auditable entities with the highest risk, without regard to available skill sets.
• Assigning resources with the skill sets necessary to participate on the audits
Does internal audit have adequate resources and the right skill sets to help management address the top risk areas of the organization and execute the audit plan? (continued)
| Page 26© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• Validating the audit plan with management and the audit committee
• Revisiting the audit plan, as well as updating the risk assessment, as a result of the organization’s changing business environment
Does internal audit have adequate resources and the right skill sets to help management address the top risk areas of the organization and execute the audit plan? (continued)
| Page 27© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• Audit Committee and Executive Management Sponsorship – the importance of sponsorship from the top cannot be overemphasized. Many hurdles can be overcome with the proper level of support.
• Stakeholder Accessibility and Participation – Access to and participation by, all stakeholders is crucial to effectively identifying and assessing the organization’s key business risks and to validating the audit plan.
• Necessary Skills Sets – The internal auditors who are responsible for preparing and conducting the assessment must possess the necessary skill-sets to help management identify and assess key business risks.
Critical Success Factors for an Executive Risk Assessment and Audit Plan Process
| Page 28© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• Maintaining Objectivity – IIA Standards 1120 and 1130 advocate that internal auditors remain objective in their work, both in appearance and in fact. When working closely with leadership across the organization, the internal audit team must maintain a degree of healthy skepticism, even as the audit team strives to develop a rapport with the stakeholders during meetings, interviews and workshops.
Critical Success Factor for an Effective Risk Assessment and Audit Plan Process, Continued.
| Page 29© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• Knowledge – Strategic business risks are as dynamic as the business they influence. Having access to relevant, timely, and sector-specific risk data can mean the difference between an organization successfully managing key business risks on a timely basis and it being exposed to unwanted business or market risks.
• Technology – There are a number of technology platforms that enable risk assessments, audit planning, scheduling and audit execution.
Critical Success Factor for an Effective Risk Assessment and Audit Plan Process, Continued.
| Page 30© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• Today’s internal audit functions face many challenges in providing increased value to their organizations and to execute an audit plan that aligns with the business and focus on key business risks. Questions to help internal audit address these challenges include:
• Have all of the key business risks that have a significant impact on the organization been identified?
Management Consideration
| Page 31© 2011 EYGM LimitedAll Rights Reserved
Risk Assessment and Audit Planning
• What processes, knowledge sources, and technologies will facilitate the assessment and prioritization of key business risks and the development of the risk-based audit plan?
• Does the internal audit plan cover all the key business risks facing the organization?
• Does internal audit have the necessary resources and skill sets to help management address the top risks and execute the audit plan?
Management Consideration, Continued
| Page 32© 2011 EYGM LimitedAll Rights Reserved
Internal Audit Value Case Study –Internal Audit Department Establishment
The results (benefits/impacts): Value added
1. Developed risk tolerance and internal audit risk rating to establish common materiality and expectations
P
2. Due to knowledge that Internal audit had of the Company, PI is currently assisting management of Parent and Subsidiaries management in building multiple shared service centers globally.
P
3. Established a solid framework to help management to strategically invest in a more robust economic environment.
P
The business objective(s): ► Subsidiary’s parent mandated the establishment of an
internal audit function► Establish a solid risk framework for which to execute
and report to executive management
The role of Internal Audit: ► Performed an entity wide risk assessment to establish a baseline of the
company’s risk universe and a risk tolerance based on management's criteria, communication and reporting protocols.
►Worked closely with management to verify that the internal control environment was not compromised due to significant employee turnover and decreasing profits due to the economy.
► Established n internal audit function including a cross functional team (Risk, ITRA and PI) to assist the Company in executing the Internal Audit plan and other key initiatives (e.g., Shared Service Center)
The Bottom Line …
• Established the ground work for the internal auditdepartment.
• Assistance was provided to the internal controlsmanager in establishing the internal controlsframework.
• During the risk assessment Internal audit identified a number of strategic areas management must address to establish a successful strategy.
Compliance
Strategic Operational
Financial
Risk Universe Components
| Page 33© 2011 EYGM LimitedAll Rights Reserved
Internal Audit Value Case Study –Internal Audit Transformation
The results (benefits/impacts):Value added
1. Internal audit revised its existing team structure to gain efficiency and better align itself with other risk functions.
P
2. Internal audit adopted a more consistent approach, methodology, documentation and reporting
standards to allow for greater synergies within Internal Audit as well as the other risk functions.
P
3. Internal audit reduced and in some cases, eliminated low risk audit activities allowing the department to focus on higher risk areas.
P
The business objective(s): ► Standardize and harmonize processes across the IA function.► Centralize and optimize processing activities.► Leverage technology and process best practices.
The role of Internal Audit:
► The team was comprised of risk, IT and process improvement resources to assess and identify opportunities for improvement to transform the Internal Audit (IA) and other risk functions.
► The team performed an assessment of the IA team structure, roles, responsibilities and job descriptions.
► The team also interviewed stakeholders to determine the effectiveness of the internal audit and other risk functions for process improvements, effectiveness and efficiencies.
The Bottom Line …
The company was able to eliminate inefficient processes that resulted in a reduction in headcount and cost savings estimated at $6-$8 million.
COSTHighly efficient
VALUEImprovement orientation
Reliable assurance
RISK
The ‘value gap’ represents the opportunity for long term improvement
| Page 34© 2011 EYGM LimitedAll Rights Reserved
Internal Audit value case study -M&A process assessment
The business objective(s): ► As M&A activity at the Company had gained momentum over the
past years, management identified processes needing significant improvement and greater consistency across the Company.
► Define a structured framework for managing the deal lifecycle► Enhance in-house expertise in all areas of M&A to enhance deal
value and mitigate M&A risks► Provide a M&A Playbook for facilitating the deal lifecycle
The role of Internal Audit: ► Internal audit played a lead role in benchmarking current
processes against leading industry practices for mergers and acquisitions
► Internal Audit identified improvement opportunities for key processes and provided a roadmap for reaching an optimal M&A process maturity
The Bottom Line …
Internal audit co-developed and gained executive management consensus for a future state vision aimed at ensuring the right transaction opportunities are targeted and properly negotiated, and that value creation is optimized.
The results (benefits/impacts): Value added
1. IA served as a knowledge source to provide insights on leading M&A practices.
P
2. IA lead the development of maturity profile of Company’s current state processes and desired future state.
P
3. IA partnered with the business to identify prioritized improvement opportunities and develop a roadmap of action items.
P
Infrequent BuyerDeveloping Advanced
Deal Lifecycle Maturity Model
Effic
iency
Current State for Selected AttributesMaturityCurve
Serial BuyerBasic
| Page 35© 2011 EYGM LimitedAll Rights Reserved
Internal Audit value case studyMajor construction / renovation project
The results (benefits/impacts): Value added
1. Subject matter resources helped reduce the risk of operational breakdown by evaluating on-going construction project risks (e.g. cost overruns, schedule delays, loss or productivity, quality issues) and identifying process improvement opportunities leveraging deep industry specific knowledge.
P
2. IA identified process improvements that lead to a reduction in financial risks such as improper accounting, misappropriation of assets, lack of proper payment authority and excess spending.
P
The business objective(s): ► Successfully perform new construction, renovation, and maintenance of
current facilities throughout the U.S. in conjunction with $2.1 billion capital program
► Achieve quality, on-time and on-budget construction projects► Achieve enhanced compliance, process improvement, risk mitigation, and
consistency in operating practices among financial and operational aspects of construction projects
The role of Internal Audit: ► Internal audit leveraged subject matter resources with construction & real
estate advisory experience in conjunction with Risk professionals, and evaluated financial and operational aspects of construction projects at selected high risk locations
► Through interviews of Company personnel, review of project organization, leadership and management, the team performed an evaluation of operational processes and controls inherent to construction projects
The Bottom Line …
Internal Audit evaluated $6 million of construction change order costs and recovered $2 million in non-allowable charges.
In addition, Internal Audit identified significant financial control weaknesses, which, if not identified, could have potentially cost the Company $15 - $20 million per year.
| Page 36© 2011 EYGM LimitedAll Rights Reserved
Internal Audit Value Case Study –ERP System Implementation
The results (benefits/impacts): Value added
1. Internal Audit helped reduce the risk of operational and financial breakdown by:
- evaluating on-going implementation project risks: schedule delays, testing results, mapping issues etc.
- identifying process improvement opportunities and controls gaps leveraging on process and information technology knowledge.
P
2. Internal Audit delayed the go-live date of the system several times until the system was properly functional.
P
The business objective(s): ►To implement an ERP system in an effort to streamline the
close process and create a unified chart of accounts for the company. The implementation would allow for improved reporting, improved accuracy of financials, and increase operational efficiency of the close process.
The role of Internal Audit:
► Internal Audit leveraged Risk and ITRA professionals (with financial close, internal control and system implementation experience) to evaluate the implementation strategy and execution, the process design, and the manual and application control design for the project.
►Management also requested that Internal Audit provide a recommendation on when the system would be functional to go-live.
The Bottom Line …
Internal Audit aided the company in successfully implementing a new ERP system by providing recommendations on improving the process, adding additional controls, and delaying the go-live date of the new system until all testing was completed without issue. The system went live with zero defects.
| Page 37© 2011 EYGM LimitedAll Rights Reserved
Options to Transform IA – Benefits and Challenges
Outsourcing Co-sourcing In-houseBenefits Ø Fastest route to desired state
Ø Quickly enhances credibility of function
Ø Least expensive option-investment in methodology, technology, training, recruitment/retention are borne by third party
Ø Ability easily expand /contract spendØ Only paying for productive time Ø Third party deals with personnel
related issues
Ø Higher productivity while expanding risk coverage
Ø Ability to leverage third part’s investment in tools, methodology etc.
Ø Portion of function is variable cost Ø Raises the bar for
productivity/quality Ø Maintain organizational knowledge Ø Highly flexibleØ Consideration given to Hiring
certain in-house resources to help with the transition process
Ø Potential talent pipeline for organization
Ø Least disruptive to employees and organization
Ø Maximize organization knowledge/relationships
Ø Historical knowledge of IA is maintained
Ø Potential talent pipeline for organization
Challenges Ø Change management considerationsØ Cultural change for the organizationØ Potential loss of organizational
knowledge
Ø Cultural integration of different audit teams
Ø Existing personnel development challenges
Ø HR process around identifying employees to retain/terminate
Ø Highest cost modelØ Longer time frame to effect
desired transformationØ Increased and continuous
investment in methodology, people and tools
Ø Inflexible staffing modelØ Existing performance
issues/upward mobility challenges
| Page 38© 2011 EYGM LimitedAll Rights Reserved
… Questions?